[SchurmanCQC]

Introduction

SA-MP servers these days are constantly complaining of accounts being stolen or hacked. In order to protect these passwords, you must do several things to make sure the password the user enters is always, 100% secured. This means no one can read it, no one can hack it. If you were to attempt to hack it, it would theoretically take months on a supercomputer to crack one password. Yes, that's one password, not the whole database.
It is virtually impossible to "crack" a password using this method. Even if you have the salt, you would have to compute the hash 50 times for each guess that is made.

The Method - Registration
When the user chooses a password when registering, a 8 byte salt is created. This protects against bruteforce attacks and rainbow tables. (See references.) The password is then hashed along with the salt. An example of a raw password with a salt before it is hashed would be "817568n5jkaj1k6a64dj74" (the bold being the raw password, and the italic being the salt). After this, the string you just read is hashed with a SECURE hash algorithm such as sha256 or whirlpool. An example of a hashed password created with sha256 would be "f3fc0170501c092313bb5e7c818677b5fac3ca944122438f9b 9d71e5457bed31". Then, we hash the hash 50 times, and store it in our database. Here's the process shortened into point form:

1. Password entered
2. Salt created
3. Password hashed with salt
4. Hash hashed 50 times
5. Hash stored in database

The Method - Logging In
I see nowadays that most scripters are confused with how they will log in their users with only 2 things: a hashed password stored in a database, and a raw password entered in by the user. It really is only a simple logic problem. You don't actually need the user's raw password to compare it with the one they entered at login. What you have to do is hash the password the user enters on login with the salt you grab from the database, 50 times. Once that's done you take the user's inputted (and hashed) password and compare it with the hashed password in the database. If its wrong, and the password entered is correct, there is usually a problem in the code. Here's the process shortened into point form:

1. User enters raw password
2. Get salt from database
3. Hash raw password with salt grabbed 50 times
4. Get hashed password from database
5. Compare the two hashes
6. If true, log in success, if false, log in failure

The Code
Below are some example codes in a couple languages. The code below is written by me, feel free to use it.

Pawn
The following code utilizes the Hash/HMAC plugin by Teprey.

pawn Код:

stock HashPassword(password[], passwordSalt[])
{
    new passwordWithSalt[40+16], hashedPassword[64]; //Introduce variables
    passwordWithSalt = password; //Make passwordwithsalt equal password.
    strcat(passwordWithSalt, passwordSalt); // Add salt to raw password.
    hhash(SHA-256, passwordWithSalt, hashedPassword, 64); // Hash once.
    for(new i=0; i<50; i++) // Start a loop to go 50 times.
    {
        hhash(SHA-256, hashedPassword, hashedPassword, 64); // Hash hashed password 50 times.
    }
    return hashedPassword; // Return the result.
}

PHP

PHP код:

function hashPassword($rawPassword, $hashSalt)
{
    $hashRes = hash('sha256', $rawPassword . $hashSalt); 
    for($round = 0; $round < 50; $round++) 
    { 
        $hashRes = hash('sha256', $hashRes); 
    }
    return $hashRes;
} 


References
http://en.wikipedia.org/wiki/Salt_(cryptography)
http://en.wikipedia.org/wiki/Brute-force_attack
http://en.wikipedia.org/wiki/Rainbow_table
http://en.wikipedia.org/wiki/Cryptog..._hash_function

Credit to ****** for his simplistic thread design.

Thread Change-Log
2013-07-08

1. Instead of hashing 65536/65535 times, I updated it to now hash 50 times to eliminate the risk of having lag.
2. Fixed PHP code, loop was empty code and did nothing
3. Added "The Method - Logging In" and changed "The Method" to "The Method - Registration"